Regarding best (practice) in such a case: if you’re talking about an online website, wouldn’t it me as the operator provide a chance of obtaining access_tokens from users I have no relation to? If this approach avoids one OAuth related security risk, wouldn’t it introduce another? Except if it’s a trusted party, like a Twitch endpoint to display the access_token or if I could become trusted enough (for example, restream.io does it this way with the streaming API key, but they also probably take in stream data to distribute it where I never want to see a single one of the videos uploaded via my application, means: they have a good reason to be trusted, they actually work with the data).
I don’t think that I have to distribute my or any given secret with the package, as I have it kind of working (I assume) with just sending the user off to a browser by only providing the non-secret client_id, and the target URL for sending the login/grant form does the redirect in the browser while containing the access_token, which at the moment results in “Unable to connect” to localhost as no server is running. If I could reference a local file via relative name or absolute or file://, but the latter could expose user paths to Twitch.
I think I could start node.js locally and then write the access_token to the file system (or pass it to my application in some way) or display it for copy/paste, but then the question could become, if I already have to use node.js, the entire application could be made with JS+node.js, and then there’s no reason any more to have it as a local application, could also run on the web, and as it runs in the browser, it could be difficult to explain to users that it’s all local and I as developer get to see nothing of their data or secret keys. OAuth is the same thing the other way around: native applications specifically need to open the browser to have the user logging in with the visible, verifyable domain of Twitch in the address bar for them to believe that they don’t provide their password directly to my code.
Thank you very much for your reply, it gets me thinking about an online model.